DNS hijack leads to theft of $400,000 in cryptocurrency

Hackers once again target DNS servers in another get-rich-quick cryptocurrency scam-o-rama.

DNS settings for crypto-wallet BlackWallet.co have been hijacked, resulting in the theft of $400,000 of Stella Lumen (XLM).

On logging on, wallets containing more than XML20 are cleaned out using some injected JavaScript found by cyber researcher Kevin Beaumont.  Beeping Computer reports that the destination wallet contained some $400,000 although there is evidence that the hackers are now trying to move the currency to the Bittrex exchange.

DNS – the weak link

DNS has always been popular for DDoS amplification and other exploits – but DNS hijacking is also a useful weak link as corporate networks are becoming more secure.

In September 2017, security provider Fox IT was hit when hackers changed the A record to their client portal on fox-it.com.  By redirecting inbound e-mail traffic for just ten minutes, the attackers then had sufficient time to register a fake SSL certificate for their overseas Virtual Private Server.  Although the change was spotted about six hours after the initial changes were made, it took a considerable amount of time for the changes to fully propagate around the Internet.

An attack a year earlier took over the entire infrastructure of a Brazilian bank – including 36 domain names.  This allowed attackers to register new SSL certificates and put their own “near perfect” copies of the bank’s websites online to install malware which would later harvest login credentials.  The attack crippled ATM machines and also took down the corporate e-mail system, hampering efforts to regain control.  As will the Fox-IT attack, it took several hours to regain control once DNS was back in the bank’s hands.

The irony of the Brazilian attack was the use of Google Cloud to host their copy websites.  Performance was so good that there were no immediate complaints from the bank’s five million customers that might have triggered an investigation by IT.

Take the trouble to secure your DNS

DNS is so rarely changed that it’s usually ‘fit and forget’ for most people – which is why in the case of Fox-IT, the password for their hosting provider hadn’t been changed since it was itself attacked in 2013.  Here are some suggestions on how to mitigate the risk to your DNS:

• Make sure your registrar password is both strong and unique
• If your registrar reports any compromise of their systems – change your password
• Choose a registrar that supports 2-Factor Authentication
• DNSSEC provides an additional layer of DNS protection – make sure you turn it on
• Keep contact details up to date in case you need to phone or fax your registrar
• If you’re monitoring for an attack – changes to your DNS settings should be part of your IoCs